how can an external service see what web browsers are connected / have been connected to my server?
They might be accessing data which was collected from any tracking services you are using (google analytics or an advertising service, for example). Either publicly available information or information they bought.
Alternatively, it is possible that they simply try to access your website with a User-Agent
header of an outdated browser to see if they get blocked. If they don't get blocked, they will deduce that since your website is public-facing and since there is still a significant number of internet users who use outdated browsers and since you don't stop them from visiting your website, there must be some of them who indeed browse your website with their malware magnets.
I don't see how I can be responsible for what browser version a client uses?
Outdated web browsers might lack security features which newer browsers have, like protection from cross-origin request forgery, heuristic XSS detection or protection from browser-hijacking malware. If you do things you shouldn't be doing (like integrating arbitrary HTML content from servers not under your control) and assume that the modern web browsers will protect your visitors from anything that could go wrong, then you are putting your visitors in unnecessary danger.
Further, visitors with unsafe software configurations might be infected with malware. That malware might perform actions on your website the user isn't aware of. Online banking trojans, for example. If you are running an online banking website, then a user infected with malware who tries to pay their plumber might send their life savings to hackers in Nigeria instead. That might technically not be your fault, but the user might still try to hold you responsible. A good lawyer might protect you from having to pay for the damages (if you are lucky), but not from the PR fallout.
But what can you do about that?
Well, you could try to detect outdated web browsers by browser fingerprinting and reject them. But it usually goes against your business objectives to reject otherwise desirable customers. The better approach would be to fix those security problems on your website to make sure that even outdated browsers can use it safely. Because, as you reasoned correctly, a public website has no control over the software configuration of its visitors.
OK, but why doesn't the tool report these vulnerabilities instead of telling me to be careful about the browsers people use?
Because the perceived value of such tools is by what they report, not by what they don't report. That's why such tools usually err on the side of caution and tend to over-report irrelevant problems. If the tool just tells you "everything is OK, keep doing what you are already doing", you wouldn't perceive it as very valuable. So they make sure to include a couple tests which result in a couple positives on almost all websites they check, even if the actionable advise which can be taken from these results is minimal.